Joint Statement on Banks’ Arrangements with Third Parties to Deliver Bank Deposit Products and Services
Samantha: Hello, this is Samantha Shares.
This episode covers the
Joint Statement on Banksâ
Arrangements with Third Parties to
Deliver Bank Deposit Products and Services
Note that N C U A is not part of this
issuance, however, it is still relevant
to credit unions consideration of risks.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the joint statement.
Joint Statement on Banksâ Arrangements
with Third Parties to Deliver
Bank Deposit Products and Services
The Board of Governors of the Federal
Reserve System (Board), the Federal
Deposit Insurance Corporation (FDIC),
and the Office of the Comptroller of
the Currency (OCC) (collectively, the
agencies) are issuing this statement
to note potential risks related to
arrangements between banks and third
parties1 to deliver bank deposit products
and services to end users.2 This statement
highlights examples of risk management
practices by banks to manage such risks.
This statement reemphasizes existing
guidance; it does not alter existing
legal or regulatory requirements or
establish new supervisory expectations.
The agencies support responsible
innovation and support banks in pursuing
third-party arrangements in a manner
consistent with safe and sound practices
and in compliance with applicable laws
and regulations, including, but not
limited to, those designed to protect
consumers (such as fair lending laws
and prohibitions against unfair,
deceptive, or abusive acts or practices)
and those addressing financial crimes
(such as fraud and money laundering).
Banks are neither prohibited
nor discouraged from providing
banking services to customers of
any specific class or type, as
permitted by law or regulation.
Some banks have entered into arrangements
with third parties to deliver deposit
products and services (such as checking
and savings accounts) to end users.
Banks may do this in order to increase
revenue, raise deposits, expand
geographic reach, or to achieve other
strategic objectives, including by
leveraging new technology or offering
innovative products and services.
In these arrangements, a third party,
rather than the bank, typically
markets, distributes or otherwise
provides access to or facilitates the
provision of the deposit product or
service directly to the end user.3 In
some arrangements, banks rely on one
or multiple third parties to maintain
the deposit and transaction system of
record; process payments (sometimes with
the ability to directly submit payment
instructions to payment networks);
perform regulatory compliance functions;
provide end-user facing technology
applications; service accounts; perform
customer service; and perform complaint
and dispute resolution functions.
These third parties are sometimes
referred to as intermediate
platform providers, processors,
middleware providers, aggregation
layers, and/or program managers.
A bankâs use of third parties to perform
certain activities does not diminish
its responsibility to comply with
all applicable laws and regulations.
1 These sometimes include non-bank
companies, such as, but not
limited to, certain financial
technology (or fintech) companies.
2 For purposes of this statement,
an âend userâ includes consumers
and businesses accessing deposit
products and services through the
arrangements described in this statement.
3 These arrangements are sometimes
referred to as âbanking-as-a-serviceâ
or âembedded financeâ depending
on the structure and parties
involved in the arrangement.
Similar structures have been utilized for
certain activities in the banking industry
for many years, such as activities
related to prepaid card programs.
However, the agencies have observed
an evolution and expansion of
these arrangements to include more
complex arrangements that involve
the reliance on third parties to
deliver deposit products and services.
POTENTIAL RISKS
Depending on the structure,
third-party arrangements for the
delivery of deposit products and
services can involve elevated risks.
The agencies have observed that
risks may be elevated in certain
circumstances, such as the examples below.
Operational and Compliance
⢠Significant operations performed by a
third party: Substantially relying on
third parties to manage a bankâs deposit
operations can eliminate or reduce a
bankâs crucial existing controls over
and management of the deposit function.
Without adequate initial due
diligence and ongoing monitoring,
risks to the integrity of a bankâs
deposit function are heightened.4
⢠Fragmented operations: Fragmented
operational functions for deposit products
and services among multiple third parties
may make it more difficult for the bank
to effectively assess risks and assess
whether all third parties can and do
perform assigned functions as intended.
⢠Lack of access to records: A potential
lack of sufficient access by a bank to
the deposit and transaction system of
record and other crucial information
and data maintained by the third
party can impair the bankâs ability
to determine its deposit obligations.
In some circumstances, such uncertainty
can lead to delays in end-usersâ
access to their deposits, which
in turn can expose the bank to
additional legal and compliance risks.
⢠Third parties performing compliance
functions: Reliance on third parties to
perform regulatory compliance functions
may increase the risk of the bank not
meeting its regulatory requirements.
Specifically, the third party may
perform certain regulatory compliance
functions such as monitoring and
reporting suspicious activity,
customer identification programs,
customer due diligence, and sanctions
compliance on behalf of the bank.
Regardless of whether the functions
are shared between the bank and
the third party, the bank remains
responsible for failure to comply
with applicable requirements.
⢠Insufficient risk management to meet
consumer protection obligations:
Insufficient oversight of these
arrangements may impact a bankâs
compliance with consumer protection laws
and regulations, such as requirements
under Regulation E (implementing
the Electronic Fund Transfer Act)
to investigate and resolve certain
payment disputes within required
4 Depending on the structure, such
arrangements may also introduce
security vulnerabilities, including
by providing another access
point into the bankâs systems.
Integration may amplify operational
risks, such as fraud, cybersecurity, and
data privacy incidents occurring at the
third party that then affect the bank.
timeframes, and under Regulation DD
(implementing the Truth in Savings
Act) to provide certain disclosures
regarding consumer deposit accounts.
Presenting insufficient or misleading
information to end users also may
result in violations of laws and
regulations, including consumer
protection requirements.5 In addition,
inadequate complaint administration
and error resolution processes may
limit a bankâs ability to effectively
identify and address issues impacting
end users of the deposit accounts and
result in potential consumer harm.
⢠Lack of contracts: Multiple levels
of third-party and subcontractor
relationships, where the bank
does not have direct contracts
with entities that perform crucial
functions may pose challenges to the
bankâs ability to identify, assess,
monitor, and control various risks.
⢠Lack of experience with new methods:
Arrangements leveraging new technologies
or new methods of facilitating deposit
products and services with which bank
management and staff do not have prior
experience may result in inadequate
risk and compliance management
practices to manage or oversee these
arrangements and associated risks.
⢠Weak audit coverage: Lack of sufficient
audit scope and coverage, follow-up
processes, and remediation may
result in inadequate oversight of
these arrangements and reduce the
effectiveness of the audit function.
Growth
⢠Misaligned incentives: A third partyâs
incentives may not be aligned with those
of the bank, such as when a third party
may be incentivized to promote growth
in a manner that is not aligned with the
bankâs regulatory obligations, resulting
in insufficient attention to risk
management and compliance obligations.
⢠Operational capabilities lag growth:
Rapid growth as a result of these
arrangements (either in the overall
number of arrangements or in the size
of specific arrangements) may result
in risk management and operational
processes struggling to keep pace.
⢠Financial risks from funding
concentrations: Arrangements may result
in significant and rapidly increasing
funding concentrations, which may make
it more challenging for the bank to
manage and mitigate liquidity and funding
risks, particularly when funding is
deployed in illiquid or long-term assets.
⢠Inability to manage emerging liquidity
risks: Arrangements where a significant
proportion of a bankâs deposits or revenue
are associated with a third party may pose
liquidity risks, such that the bank may
be reluctant to make decisions necessary
to manage those risks, including, if
necessary, to terminate the arrangement.
5 Such laws and regulations include (among
others) the prohibition against unfair or
deceptive acts or practices under Section
5 of the Federal Trade Commission Act, and
the prohibition against unfair, deceptive,
or abusive acts or practices under Title
X of the Dodd-Frank Wall Street Reform and
Consumer Protection Act (Dodd-Frank Act).
⢠Pressure on capital levels: Arrangements
may result in material and rapid balance
sheet growth (including significant
intraday balance sheet levels) without
commensurate capital formation.
End User Confusion and Misrepresentation
of Deposit Insurance Coverage
⢠Potentially misleading statements and
marketing: Third-party arrangements
for the delivery of deposit products
and services can pose risks of end
user confusion related to deposit
insurance, which may be exacerbated
by marketing materials or other
statements by nonbank third parties.
Some nonbank third parties could be
reasonably mistaken for an insured
depository institution (IDI) by end
users, particularly when they refer
to FDIC deposit insurance in marketing
and other public-facing materials.
End users may not be aware that access
to their funds may depend on the third
party and that deposit insurance does
not protect against losses resulting
from the failure of the third party.
⢠Regulatory violations: Inaccurate
or misleading information regarding
the extent or manner under which
deposit insurance coverage is
available could constitute a
violation under Part 328, Subpart B.6
o Omissions of material information
also may constitute misrepresentations
under the FDICâs rule.
Such deposit insurance misrepresentations
may occur, for example, when nonbank
third parties have communicated to
end users that their funds are FDIC
insured, without disclosing that FDIC
insurance protects only against the
failure of an IDI, and not against
the failure of the nonbank entity.
o Deposit insurance misrepresentations
under Part 328 may also occur
when parties to these arrangements
communicate to end users that their
funds are insured by the FDIC on a
pass-through basis without disclosing
that certain regulatory requirements7
must be satisfied for pass-through
deposit insurance coverage to apply.8
RISK MANAGEMENT AND
GOVERNANCE CONSIDERATIONS
Banks are expected to operate in a
safe and sound manner and in compliance
with applicable laws and regulations,
including those related to safety
and soundness, consumer protection,
and anti-money laundering/countering
the financing of terrorism (AML/CFT).
Effective board and
6 See 12 CFR 328, Subpart B.
7 See 12 CFR 330.5, 330.7.
For pass-through deposit insurance
to apply, a consumerâs funds must
first be on deposit at an IDI.
In addition: (1) the deposit account
records of the IDI must disclose a
basis for pass-through coverage, such
as a custodial or agency relationship;
(2) the identities and interests of
the actual owners of the funds must be
ascertainable either from the records
of the IDI or records maintained in
good faith and in the regular course of
business by another party; and (3) the
relationship that provides the basis for
pass-through deposit insurance coverage
must be genuine, with the deposited
funds actually owned by the named owners.
Additional requirements apply
to arrangements involving
multiple levels of relationships.
8 See 12 CFR 328.102(b)(5).
senior management oversight is crucial to
ensure a bankâs risk management practices
are commensurate with the complexity,
risk, size, and nature of the activity and
relationship, both when the relationship
commences and as it evolves over time.
In this regard, banks should ensure
practices are consistent with the
Interagency Guidelines Establishing
Standards for Safety and Soundness,9 and
banks also are encouraged to review and
consider the risk management principles
for third-party relationships set forth
in the Interagency Guidance on Third-Party
Relationships: Risk Management.10
The list at the end of this document
provides various existing resources,
including guidance, that may be helpful
for banks managing such arrangements.
The agencies have observed examples
of effective risk management practices
that a bank may consider when managing
third-party arrangements for the
delivery of deposit products and
services, including the examples below.11
Governance and Third-Party
Risk Management12
⢠Developing and maintaining appropriate
policies and procedures that detail
organizational structures, lines of
reporting and authorities, expertise
and staffing, internal controls,
and audit functions to ensure that
risks are understood and mitigated.
⢠Developing appropriate risk assessments
that identify and analyze risks specific
to features of each arrangement.
This practice is important to allow the
bank to assess whether proposed controls
can appropriately mitigate risks in
keeping with the bankâs risk appetite.
Effective risk assessments typically
involve expertise across relevant
functional areas of the bank including
risk management and compliance, and also
consider the activities and features
specific to an arrangement to assist
in implementing effective controls.
9 See Interagency Guidelines Establishing
Standards for Safety and Soundness 12
CFR part 30, Appendix A (OCC); 12 CFR
part 208, Appendix D-1 (Board); and
12 CFR part 364, Appendix A (FDIC)
(issued pursuant to section 39 of the
Federal Deposit Insurance Act, 12 U.S.C.
1831p- 1) (hereinafter âSafety
and Soundness Standardsâ).
10 Interagency Guidance on Third-Party
Relationships: Risk Management, 88 Fed.
Reg.
37,920 (June 9, 2023)
(hereinafter âTPRMâ).
11 These examples are not a complete list
of practices that could be considered in
managing the risks of such arrangements.
12 These risk management practices are
drawn from applicable statutes, rules,
and enforceable guidelines including the
Safety and Soundness Standards, supra n.
9, and Interagency Guidelines Establishing
Information Security Standards, 12 CFR
part 30, Appendix B (OCC); 12 CFR part
208, Appendix D-2 (Board); and 12 CFR
part 364, Appendix B (FDIC) (issued
pursuant to sections 501 and 505 of
the Gramm-Leach-Bliley Act, 15 U.S.C.
6801 and 6805, and section 39 of the
Federal Deposit Insurance Act, 12 U.S.C.
1831p-1) (hereinafter âInformation
Security Standardsâ), as well as
existing guidance and resources,
including TPRM, supra n.
10; Conducting Due Diligence on
Financial Technology Companies: A Guide
for Community Banks (August 27, 2021)
(hereinafter âCommunity Bank Guideâ);
and FFIEC Information Technology
Examination Handbook (hereinafter
âFFIEC IT Examination Handbookâ).
⢠Conducting and documenting due
diligence that is of sufficient
scope and depth to determine whether
the bank can rely on third parties
to perform the various necessary
roles to deliver deposit products
and services on the bankâs behalf.
⢠Entering into contracts and agreements
that clearly define roles and
responsibilities of banks and third
parties and enable banks to manage the
risks of the arrangements effectively.
⢠Assessing potential risks when the
bank does not have a direct contractual
relationship with all parties with
significant roles to determine whether
and how such risks can be sufficiently
mitigated and remain consistent
with the bankâs risk appetite.
⢠Establishing effective ongoing monitoring
processes, commensurate with the risk
of each activity and relationship, and
sufficient to detect any issues so they
can be addressed in a timely manner.
Managing Operational and
Compliance Implications13
⢠Maintaining a clear understanding of any
management information system (MIS)14
that will be used to support the activity,
including any obligations and contractual
reporting requirements when the deposit
and transaction system of record is
managed through the third party or
through a subcontractor to another party.
⢠Developing and maintaining risk-based
contingency plans, which address
potential operational disruption or
business failure at the third party that
may disrupt end usersâ access to funds,
including contractual provisions that
facilitate the bankâs contingency plans.
The contract might, for example, address
the transfer of the relevant accounts,
data, or activities to another entity in
the event of the third partyâs bankruptcy,
business failure, business interruption,
or failure to perform as expected.
⢠Implementing internal controls to mitigate
risks inherent in deposit functions.
These could include, but are not limited
to, dual control and separation of
duties, payment data verification,
and clear error processing and
problem resolution procedures.
When deposit- related functions
are performed by a third party, due
diligence, contracts, and ongoing
monitoring can allow the bank to
assess accuracy, reliability, and
timeliness of controls and records.
⢠Establishing adequate policies,
procedures, oversight, and controls
to help ensure the bank complies with
applicable laws and regulations, including
consumer protection requirements.
13 These risk management practices are
drawn from applicable statutes, rules,
and enforceable guidelines including the
Safety and Soundness Standards, supra n.
9, and Information Security
Standards, supra n.
12, as well as existing guidance and
resources, including TPRM, supra n.
10; Community Bank Guide, supra n.
12; FFIEC IT Examination
Handbook, supra n.
12; and Interagency Guidance on Deposit
Reconciliation Practices (May 18, 2016).
14 In arrangements where the third
party manages the MIS, a bank may
consider potential risks to the bank
(such as consumer harm, business
disruptions due to partner default,
and access to/receipt of MIS), any
potential implications to compliance
with applicable laws and regulations,
and appropriate mitigation measures.
A bank may typically consider factors
such as the third partyâs ability
to maintain the confidentiality,
availability, and integrity of the bankâs
systems, information, and data, as well
as customer data, where applicable.
Effective compliance management
includes conducting active oversight
of third-party relationships; ensuring
effective complaint management, error
investigation and resolution; maintaining
written policies and procedures;
ensuring appropriate consumer protection-
related disclosures; and managing a
potential disruption of service.15
Anti-Money Laundering (AML)
/ Countering the Financing of Terrorism
(CFT) / Sanctions Compliance16
⢠Having adequate policies, procedures,
oversight, and controls to help ensure
the bank complies with applicable AML/CFT
requirements (e.g., monitoring for and
reporting suspicious activity, customer
identification programs, and customer
due diligence) and sanctions compliance.
Managing Growth, Liquidity,
and Capital Implications17
⢠Establishing appropriate concentration
limits, diversification strategies,
liquidity risk management strategies,
and exit strategies, as well as
maintaining capital adequacy.
This may include contingency funding plans
that describe how the bank will respond to
customersâ unexpected deposit withdrawals
and reasonable assumptions, such as
non- maturity deposit customer behavior.
⢠Performing appropriate analysis to
determine whether parties involved in the
placement of deposits meet the definition
of a deposit broker under 12 U.S.C.
1831f and implementing regulations,
12 CFR 337.6, and appropriately
reporting any such deposits as
brokered deposits in the Call Report.18
15 For example, banks are generally
required to make funds available
according to specific time schedules
and to disclose their funds availability
policies to their customers.
16 These risk management practices
are drawn from applicable law and
regulations, including 31 CFR 1010.230,
1020.220; 12 CFR 21.11, 208.62, 353;
and the Office of Foreign Assets
Control sanctions established under the
Trading with the Enemy Act, 50 U.S.C.
App.
1-44, and other relevant authorities.
17 These risk management practices are
drawn from applicable statute, rules, and
enforceable guidelines including 12 U.S.C.
1831f; 12 CFR 337.6; Safety and
Soundness Standards, supra n.
9; as well as existing guidance and
resources, including Interagency
Policy Statement on Funding and
Liquidity Risk Management, 75 Fed.
Reg.
13,656 (March 22, 2010) and
Joint Agency Policy Statement:
Interest Rate Risk, 61 Fed.
Reg.
33,166 (June 26, 1996).
18 Less than well capitalized institutions
under the respective Prompt Corrective
Action provisions have restrictions
on their ability to accept, renew,
or roll over brokered deposits.
12 CFR 337.6(a)(3), (b).
Addressing Misrepresentations
of Deposit Insurance Coverage19
⢠Establishing policies and procedures
and developing prudent risk management
practices for certain deposit-related
arrangements to ensure compliance with
12 CFR 328, Subpart B, which prohibits
misrepresentation of deposit insurance.20
⢠Ensuring such policies and procedures
include, as appropriate, provisions
related to monitoring and evaluating
activities of persons that facilitate
access to the bankâs deposit-
related services or products to other
parties, as required under Part 328.
19 See 12 CFR part 328, which applies
to IDIs (provisions effective on
April 1, 2024, with an extended
compliance date of January 1, 2025).
20 See 12 CFR 328.8.
This concludes this item.
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.